Bots bypass WAF with /.well-known/ in URI

I’m just curious if Cloudflare lets some request bypass WAF rules.

This is what I see on my server’s Apache logs:

I have 3 rules in WAF that should have prevented that IP from accessing my server. The rules in order are:

  1. The IP belongs to an ASN that I have already blocked:
    (ip.geoip.asnum in {40021})
  2. The requests don’t have user-agents but still bypassed my other rule.
    (http.user_agent eq "")
  3. The requested paths matches a rule that’s supposed to block them.
    (http.request.uri contains "/.well-known/" and not cf.verified_bot_category in {"Security"})

All these rules are set to “block”. My sites are correctly proxied/“orange cloud” in the DNS setttings. The only thing I can think of is that CF lets requests with /.well-known/ bypass the WAF by default since it’s used in certificate renewals. Is this correct?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.